-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0025
A number of vulnerabilities have been identified in Mozilla
Firefox and Mozilla Firefox ESR
9 March 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Overwrite Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2802 CVE-2016-2801 CVE-2016-2800
CVE-2016-2799 CVE-2016-2798 CVE-2016-2797
CVE-2016-2796 CVE-2016-2795 CVE-2016-2794
CVE-2016-2793 CVE-2016-2792 CVE-2016-2791
CVE-2016-2790 CVE-2016-1979 CVE-2016-1977
CVE-2016-1976 CVE-2016-1975 CVE-2016-1974
CVE-2016-1973 CVE-2016-1972 CVE-2016-1971
CVE-2016-1970 CVE-2016-1968 CVE-2016-1967
CVE-2016-1966 CVE-2016-1965 CVE-2016-1964
CVE-2016-1963 CVE-2016-1962 CVE-2016-1961
CVE-2016-1960 CVE-2016-1959 CVE-2016-1958
CVE-2016-1957 CVE-2016-1956 CVE-2016-1955
CVE-2016-1954 CVE-2016-1953 CVE-2016-1952
CVE-2016-1950
Member content until: Friday, April 8 2016
OVERVIEW
A number of vulnerabilities have been identified in Mozilla Firefox
prior to version 45 and Mozilla Firefox ESR prior to version 38.7.
[1-22]
IMPACT
The vendor has provided the following details regarding the
vulnerabilities:
CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,
CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796,
CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800,
CVE-2016-2801, CVE-2016-2802:
"Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the
Graphite 2 library affecting version 1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to induce
stack corruption with a malicious graphite font. This leads to a
potentially exploitable crash when the font is loaded.
Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory,
out-of-bounds read, and out-of-bounds write errors when working with
fuzzed graphite fonts." [1]
CVE-2016-1952, CVE-2016-1953: "Mozilla developers fixed several
memory safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code." [2]
CVE-2016-1954: "Security researcher Nicolas Golubovic reported that
a malicious page can overwrite files on the user's machine using
Content Security Policy (CSP) violation reports. The file contents
are restricted to the JSON format of the report. In many cases
overwriting a local file may simply be destructive, breaking the
functionality of that file. The CSP error reports can include HTML
fragments which could be rendered by browsers. If a user has
disabled add-on signing and has installed an "unpacked" add-on, a
malicious page could overwrite one of the add-on resources.
Depending on how this resource is used, this could lead to privilege
escalation." [3]
CVE-2016-1955: "Security researcher Muneaki Nishimura (nishimunea)
of Recruit Technologies Co.,Ltd. reported that Content Security
Policy (CSP) violation reports contained full path information for
cross-origin iframe navigations in violation of the CSP
specification. This could result in information disclosure." [4]
CVE-2016-1956: "Security researcher Ucha Gobejishvili reported a
denial of service (DOS) attack when doing certain WebGL operations
in a canvas requiring an unusually large amount buffer to be
allocated from video memory. This resulted in memory resource
exhaustion with some Intel video cards, requiring the computer to be
rebooted to return functionality. This was resolved by putting in
additional checks on the amount of memory to be allocated during
graphics processing." [5]
CVE-2016-1957: "Security researchers Jose Martinez and Romina
Santillan reported a memory leak in the libstagefright library when
array destruction occurs during MPEG4 video file processing." [6]
CVE-2016-1958: "Security researcher Abdulrahman Alqabandi reported
an issue where an attacker can load an arbitrary web page but the
addressbar's displayed URL will be blank or filled with page defined
content. This can be used to obfuscate which page is currently
loaded and allows for an attacker to spoof an existing page without
the malicious page's address being displayed correctly." [7]
CVE-2016-1959: "Security researcher Looben Yang reported a mechanism
where the Clients API in Service Workers can be used to trigger an
out-of-bounds read in ServiceWorkerManager. This results in a
potentially exploitable crash." [8]
CVE-2016-1960: "Security researcher ca0nguyen, working with HP's
Zero Day Initiative, reported a use-after-free issue in the HTML5
string parser when parsing a particular set of table-related tags in
a foreign fragment context such as SVG. This results in a
potentially exploitable crash." [9]
CVE-2016-1961: "Security researcher lokihardt, working with HP's
Zero Day Initiative, reported a use-after-free issue in the SetBody
function of HTMLDocument. This results in a potentially exploitable
crash." [10]
CVE-2016-1962: "Security researcher Dominique Hazaël-Massieux
reported a use-after-free issue when using multiple WebRTC data
channel connections. This causes a potentially exploitable crash
when a data channel connection is freed from within a call through
it." [11]
CVE-2016-1963: "Security researcher Oriol reported memory corruption
when local files are modified (by either the user or another
program) at the same time being read using the FileReader API. This
flaw requires that input be taken from a local file in order to be
triggered and cannot be triggered by web content. This results in a
potentially exploitable crash when triggered." [12]
CVE-2016-1964: "Security researcher Nicolas Grégoire used the
Address Sanitizer to find a use-after-free during XML transformation
operations. This results in a potentially exploitable crash
triggerable by web content." [13]
CVE-2016-1965: "Security researcher Tsubasa Iinuma reported a
mechanism where the displayed addressbar can be spoofed to users.
This issue involves using history navigation in concert with the
Location protocol property. After navigating from a malicious page
to another, if the user navigates back to the initial page, the
displayed URL will not reflect the reloaded page. This could be used
to trick users into potentially treating the page as a different and
trusted site." [14]
CVE-2016-1967: "Security researcher Jordi Chancel discovered a
variant of Mozilla Foundation Security Advisory 2015-136 which was
fixed in Firefox 43. In the original bug, it was possible to read
cross-origin URLs following a redirect if perfomance.getEntries()
was used along with an iframe to host a page. Navigating back in
history through script, content was pulled from the browser cache
for the redirected location instead of going to the original
location. In the newly reported variant issue, it was found that if
a browser session was restored, history navigation would still allow
for the same attack as content was restored from the browser cache.
This is a same-origin policy violation and could allow for data
theft." [15]
CVE-2016-1966: "The Communications Electronics Security Group (UK)
of the GCHQ reported a dangling pointer dereference within the
Netscape Plugin Application Programming Interface (NPAPI) that could
lead to the NPAPI subsystem crashing. This issue requires a
maliciously crafted NPAPI plugin in concert with scripted web
content, resulting in a potentially exploitable crash when
triggered." [16]
CVE-2016-1970, CVE-2016-1971, CVE-2016-1975, CVE-2016-1976,
CVE-2016-1972: "Security researcher Ronald Crane reported five
"moderate" rated vulnerabilities affecting released code that were
found through code inspection. These included the following issues
in WebRTC: an integer underflow, a missing status check, race
condition, and a use of deleted pointers to create new object. A
race condition in LibVPX was also identified. These do not all have
clear mechanisms to be exploited through web content but are
vulnerable if a mechanism can be found to trigger them." [17]
CVE-2016-1973: "Security researcher Ronald Crane reported a race
condition in GetStaticInstance in WebRTC which results in a
use-after-free. This could result in a potentially exploitable
crash. This issue was found through code inspection and does not
have clear mechanism to be exploited through web content but is
vulnerable if a mechanism can be found to trigger it." [18]
CVE-2016-1974: "Security researcher Ronald Crane reported an
out-of-bounds read following a failed allocation in the HTML parser
while working with unicode strings. This can also affect the parsing
of XML and SVG format data. This leads to a potentially exploitable
crash." [19]
CVE-2016-1968: "Security researcher Luke Li reported a pointer
underflow bug in the Brotli library's decompression that leads to a
buffer overflow. This results in a potentially exploitable crash
when triggered." [20]
CVE-2016-1979: "Mozilla developer Tim Taubert used the Address
Sanitizer tool and software fuzzing to discover a use-after-free
vulnerability while processing DER encoded keys in the Network
Security Services (NSS) libraries. The vulnerability overwrites the
freed memory with zeroes. This issue has been addressed in NSS
3.21.1, shipping in Firefox 45." [21]
CVE-2016-1950: "Security researcher Francis Gabriel reported a
heap-based buffer overflow in the way the Network Security Services
(NSS) libraries parsed certain ASN.1 structures. An attacker could
create a specially-crafted certificate which, when parsed by NSS,
would cause it to crash or execute arbitrary code with the
permissions of the user." [22]
MITIGATION
The vendor recommends updating to the latest versions of Firefox and
Firefox ESR to address these issues. [1-22]
REFERENCES
[1] Font vulnerabilities in the Graphite 2 library
https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
[2] Mozilla Foundation Security Advisory 2016-16: Miscellaneous memory
safety hazards (rv:45.0 / rv:38.7)
https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
[3] Mozilla Foundation Security Advisory 2016-17: Local file
overwriting and potential privilege escalation through CSP reports
https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
[4] Mozilla Foundation Security Advisory 2016-18: CSP reports fail to
strip location information for embedded iframe pages
https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/
[5] Mozilla Foundation Security Advisory 2016-19: Linux video memory
DOS with Intel drivers
https://www.mozilla.org/en-US/security/advisories/mfsa2016-19/
[6] Mozilla Foundation Security Advisory 2016-20: Memory leak in
libstagefright when deleting an array during MP4 processing
https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/
[7] Mozilla Foundation Security Advisory 2016-21: Displayed page
address can be overridden
https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/
[8] Mozilla Foundation Security Advisory 2016-22: Service Worker
Manager out-of-bounds read in Service Worker Manager
https://www.mozilla.org/en-US/security/advisories/mfsa2016-22/
[9] Mozilla Foundation Security Advisory 2016-23: Use-after-free in
HTML5 string parser
https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/
[10] Mozilla Foundation Security Advisory 2016-24: Use-after-free in
SetBody
https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/
[11] Mozilla Foundation Security Advisory 2016-25: Use-after-free when
using multiple WebRTC data channels
https://www.mozilla.org/en-US/security/advisories/mfsa2016-25/
[12] Mozilla Foundation Security Advisory 2016-26: Memory corruption
when modifying a file being read by FileReader
https://www.mozilla.org/en-US/security/advisories/mfsa2016-26/
[13] Mozilla Foundation Security Advisory 2016-27: Use-after-free
during XML transformations
https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/
[14] Mozilla Foundation Security Advisory 2016-28: Addressbar spoofing
though history navigation and Location protocol property
https://www.mozilla.org/en-US/security/advisories/mfsa2016-28/
[15] Mozilla Foundation Security Advisory 2016-29: Same-origin policy
violation using perfomance.getEntries and history navigation with
session restore
https://www.mozilla.org/en-US/security/advisories/mfsa2016-29/
[16] Mozilla Foundation Security Advisory 2016-31: Memory corruption
with malicious NPAPI plugin
https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/
[17] Mozilla Foundation Security Advisory 2016-32: WebRTC and LibVPX
vulnerabilities found through code inspection
https://www.mozilla.org/en-US/security/advisories/mfsa2016-32/
[18] Mozilla Foundation Security Advisory 2016-33: Use-after-free in
GetStaticInstance in WebRTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/
[19] Mozilla Foundation Security Advisory 2016-34: Out-of-bounds read
in HTML parser following a failed allocation
https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/
[20] Mozilla Foundation Security Advisory 2016-30: Buffer overflow in
Brotli decompression
https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
[21] Mozilla Foundation Security Advisory 2016-36: Use-after-free
during processing of DER encoded keys in NSS
https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/
[22] Mozilla Foundation Security Advisory 2016-35: Buffer overflow
during ASN.1 decoding in NSS
https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVt+akn6ZAP0PgtI9AQLAXBAAkix/7yTW/tMYaun00GhetllvKlxlhUGX
F7/FuxmUX/CEfjR2DYnpspt4ZXrmDVPoN+g+9n90prOx/CBSJuHyD33CNEnDPIhf
/vj/vty1qfEFdzvMvpFuULcT0eU8G3i/PzVStZ0ylBnp2LZ34TLbgBADASUF0NoN
SI5cNtoBLBAnicaUHkT7BeMoDhWDjnmKaVhIlfF5nI2vE+lrTKhZ0AMyiQXknobJ
VVFn2yAPrtMByUxEvTGOXPYhovxwJfpaJx0tU+gyzCPK+g2jNcllLFdHZjZBKG1j
WGwg3xqiyZMXjFsrszI69+kAe0FXz8H5v3O8GBIPzeSkQxQAMLF+ehG9R4BV0WII
SvRbhP0pGBjRFgT9jX9QnAAXClfeWCv2Ya1DYtUYh4oFRrUjqnmq9RDHGsvmE7QP
XqDklchEuCla8qUMtuKCt/l2iwsoq47u45SotDKDFEn9M0W/p1QcM/zdrkznK0Ns
zJ6c/qmC8PPfgW7cPVLHcoC5FXg/rTFTLnH/7QmZqFw/hF6NimfFDLRcjwz4ufzA
MnF4LyzBsW9vi7h76361TEm+j5D5pqOJv1RWpmDIlwj52shj1c/Yj82kx5p6a0X2
IcB0e7Wh2KhK7Dne0+dot82Ez8sRtWnX/562kzbfQ81x/WhQ6xLV5VjhIiVBs/Md
0adi6d8Yb+E=
=n3zd
-----END PGP SIGNATURE-----